When can information be used?
By Tim Smith
In the absence of consent, anonymisation is the next best alternative, says Tim Smith
The starting point for data protection compliance is to determine whether information falls within the Data Protection Act regime at all. If the material is not data and/or is not personal data, it will not fall within the ambit of the Act.
The Information Commissioner has taken a very broad approach as to what constitutes data. The English courts, particularly in the Court of Appeal decision of Durant v Financial Services Authority, have taken what has been widely viewed as a more restrictive approach, reflecting the understanding that the Act was never intended to apply to each and every piece of information about an individual or each and every reference to their name.
The Court of Appeal recently looked at this issue in Efifion Edem v (1) Information Commissioner (2) Financial Services Authority. The decision has been heralded by some as marking a change in course from Durant.
However, in many respects, the decision in Edem is entirely consistent with Durant.
In both cases, the claimant had made a complaint to the Financial Services Authority and wished to obtain information from the FSA. Mr Durant wanted copies of documents in which he was named or identifiable. Mr Edem wanted to know the names of the junior members of staff who had dealt with his complaint.
Durant's claim failed, in essence, because the majority of the information he wanted did not constitute his personal data. Lord Justice Auld said that the mere mention of the individual in a document did not make the document that person's personal data. He said that it would assist in determining the issue to consider whether the information was biographical in a significant sense (i.e. going beyond the recording of someone's involvement in a matter or event that had no personal connotations) and whether the person was the focus of the information.
In Edem, the issue was whether the names of three junior officials were their personal data (rather than Edem's) and, if so, whether disclosure would contravene the first principle of the Act, which requires data to be processed fairly and lawfully and prohibits processing unless one of the conditions in schedule II of the Act is met.
The fact that Edem was seeking information about other individuals would, in many instances, have made the case sufficiently clear that his claim would have been dismissed at the outset.
However, such has been the confusion caused by the Act's wording and in interpreting the Durant decision that there was a debate about whether a person's name (when it revealed where they worked and what they did) was personal data. The court has now dealt with this (by confirming that the information requested in Edem was the personal data of the three individuals) and it is to be hoped that there will now be more clarity and less litigation over what is covered by the Act.
As previously, where information held by a firm is personal data then the firm should make sure that it complies with the Act. The easiest way to ensure compliance is to obtain consent from those whose personal data it is to use the data for the intended purposes.
In the absence of consent, anonymisation is the next best alternative, failing which firms may need to scrutinise the Act's schedules to explore whether compliance can be achieved.
Tim Smith is a partner at BLM